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To: Chief Executives of authorized insurers carrying on long term insurance business 


Dear Sirs, 


Sandbox application for the distribution of long term insurance policies via video 
conferencing tools 


Background 
The IA has been working closely with the HKFI InsurTech Task Force on initiatives 


involving the use of technology for non-face-to-face (“non-F2F’’) distribution of long 
term insurance products. The pandemic situation caused by COVID-19 also prompts 
the need for measures to minimize the risk of infection during the sales process of 
insurance products. 


Issues arising out of the use of non-F2F distribution methods 
Despite the fact that insurance market of Hong Kong is relatively mature and developed, 


there exists a noticeable structural imbalance in the life market towards insurance 
products with significant savings or investment elements and a glaring protection 
gap. The IA sees merit in the more extensive use of InsurTech to address these issues. 
InsurTech can be a powerful tool to direct attention towards personal needs and risk 
mitigation, widen the range of distribution channels, and enrich the mix of more 
affordable insurance products. 


That said, the use of technology will invariably bring about new challenges in areas 
such as cybersecurity and other potential impediments which otherwise do not exist in 
a face-to-face setting. Such potential impediments may be caused by intermittent 
interruption during the sales process, an inability to physically and instantly share 
documents, issues in performing K YC effectively, and difficulties in obtaining signature 
etc, which in turn affect the strict adherence to the various supervisory requirements 
governing the sales of long term insurance products. 


Compensating measures need to be put into place to address such potential impediments 
and ensure that the principle of fair treatment of customers is strictly adhered to when 
non-F2F meetings are carried out through InsurTech initiatives such as video 
conferencing (“VC”). 


Information to be provided for the Sandbox application 

Insurers are required to submit applications through the InsurTech Sandbox (with 
information to be shared with the HKMA if bank channel is involved). Other than the 
requirements set out for the InsurTech Sandbox and other applicable guidelines (e.g. 
GL20 on cybersecurity, GL3 on Anti-Money Laundering and Counter-Terrorist 
Financing (“AML/CTF”), GL14 on outsourcing etc), insurers will be required to 
provide the IA with the following information upon application — 





(i) Detailed information about the process, procedures and controls to be put in place 
for the sales process using VC. 
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(ii) | Control and monitoring measures to be put in place to ensure compliance with the 
applicable requirements concerning the use of VC (e.g. GL 16 on underwriting 
long term insurance business (other than Class C Business), GL30 on Financial 
Needs Analysis, GL27 on policy replacement, GL28 on benefit illustrations etc). 


(iii) Details of the AML/CTF controls, including ML/TF risk assessments and the 
corresponding additional measures relating to non-F2F onboarding of customers. 


(iv) Details of the Sandbox trial including types of long term insurance products to be 
covered, length of the trial period (including different phases, if any), target 
customers (i.e. new / existing / vulnerable customers / Mainland China Visitors 
(“MCV”) etc), VC facility to be used (i.e. proprietary or third-party) and the 
technical assessment of its security etc. 


(v) Detailed information about the signature requirements (i.e. “signatures” must be 
legally binding and customers must be fully aware of the documents to be signed 
during the sales process). 


Requirements for the use of VC tools to distribute long term insurance products 

Other than those additional conditions to be imposed by the JA on individual 
applications, insurers (and intermediaries where applicable) will be required to comply 
with the following — 





(i) | Adequate control and monitoring measures to ensure that customers are not 
adversely affected due to the use of VC based on the principle of fair treatment of 
customers. 


(ii) Adequate control and monitoring measures to ensure that customers are provided 
with all the required documents and that the information transmitted during the 
process is clear, correct, complete and legible. 


(iii) Each VC session must be logged and identified with an audit trail. 


(iv) Adequate control and monitoring measures must be put into place to ascertain the 
locality of the customers before the sales process begins. For example, if MCV 
are involved, effective measures (e.g. IP filtering, GPS tagging, show of entry 
proof etc) must be put into place to ensure that the customers are physically 
located in Hong Kong before the sales process begins. 


(v) End-to-end recording (i.e. video with audio or audio only) of each VC session 
must be carried out (unless otherwise opted out by the customer, and in such case 
the opt-out decision itself must be recorded). 


(vi) The relevant recording must be kept for at least 7 years (or such shorter period as 
amended by the IA) after the termination of the relevant insurance policy(ies) 
sold. For the avoidance of doubt, in the case where there are more than one policy 
sold to the same policyholder(s) under the same process, the relevant recording 
should be kept for not less than 7 years (or such shorter period as amended by the 
IA) after the last policy terminates. For those cases where no policies are taken 
out by the customers after the sales process, the recording for the VC sessions 
should be kept for at least 12 months if the completed FNA forms would be kept 
for future use within the 12-month validity period as permitted under 6.9 of GL30. 
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(vii) Ongoing assessment on the security (including data protection and privacy) of 
using VC facility to ensure emerging risks and vulnerabilities are identified, 
mitigated and monitored in a timely manner, and that control measures in place 
remain effective and comply with relevant laws and regulatory requirements at 
all times. 


(viii) Effective control and ongoing monitoring mechanism on the following — 


(a) 


(b) 
(c) 
(d) 
(e) 


intermediaries with significantly higher than average opt-out rate for end- 
to-end recording; 

VC sessions without recording of customer confirmation for opt-in or out; 
VC sessions with opt-out confirmation recording only; 

any unauthorized access and usage of the VC facilities; and 

only VC facilities provided by the insurers are used by the intermediaries 
in the sales process. 


(ix) Prior consent from the IA be sought for any changes to the information provided 
to the IA in support of the Sandbox application. 


(x) Appropriate training should be provided to the intermediaries before they are 
allowed to use the VC facilities. 


(xi) Notifying the IA forthwith of — 


a. 
b. 


any sudden surge of complaints arising from the operation; 

the need to trigger the exit strategy and the relevant details of the exit plan; 
or 

any other adverse event (actual or potential) that is material to the proper 
operation of the Insurtech Sandbox trial and/or official launch (e.g. 
cybersecurity breach, leakage of personal data of customers, material 
system failure etc) 


In case of doubt, please contact your case officers accordingly. 


Yours faithfully, 


Carol Hui 


Executive Director, Long Term Business 
Insurance Authority 


c.c. The Hong Kong Federation of Insurers 


